CLAIM LISTING 



1. (Currently Amended) A security protocol method comprising: 

simultaneously authenticating multiple facets of an endpoint; 

combining the multiple facet s of the endpoint with a pre master secret; 

cryptographically hashing a platform configuration value representing a configuration 
state of an endpoint platform to generate a cryptographic hash of the platform 
configuration ; 

mixing the cryptographically hashed cryptographic hash of the platform configuration 
with the a pre-master secret via a hash algorithm to generate a master secret; and 
negotiating a communication channel; 

signing the master secret with multiple authentication facets of the endpoint, the 

multiple authentication facets including a user key representing a particular user and a 
platform key representing the particular endpoint platform; 

encrypting the ma s ter s ecret to authenticate a authenticating the negotiated 
communication channel with the signed master secret to establish the negotiated 
communication channel as a secure channel . 

2. (Original) The method of claim 1 , wherein a platform private key is bound to the 
platform configuration using a trusted platform device. 

3. (Original) The method of claim 2, wherein the trusted platform device comprises a 
processor coupled to a protected storage device. 

4. (Original) The method of claim 1, wherein cryptographically hashing the platform 
configuration comprises cryptographically hashing the platform configuration using a secure 
hashing algorithm. 

5. (Original) The method of claim 4, wherein the secure hashing algorithm comprises 
Secure Hashing Algorithm Version 1.0 (SHA-1). 

6-9. (Canceled) 
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10. (Currently Amended) The method of claim 6 claim 1 , wherein the platform 
configuration includes multiple identities and one or more certified keys the platform key 

includes one or more platform identity keys. 



11. (Currently Amended) The method of claim 6 claim 1 , wherein the platform 
configuration includes multiple identities and one or more certified keys the platform key 

includes each platform configuration identity key. 

12. (Original) The method of claim 1 , further comprising enabling the encrypted master 
secret to be decrypted at another endpoint, wherein the master secret is used by each endpoint to 
generate the session keys. 

13. (Original) The method of claim 1 , further comprising: 

exchanging an explanation of the platform configuration hashes following session key 
negotiations to finalize the authentication; 

verifying, at both endpoints, key exchange messages, certificates and platform 
configuration data; and 

authenticating the session if no problems arise during verification. 

14. (Original) The method of claim 13, further comprising halting the authentication session 
if problems arise during verification. 

15. (Original) The method of claim 13, further comprising enabling endpoints to exchange 
data, wherein each endpoint knows that the platform from the other endpoint has been 
authenticated using a platform identity that ties to the trusted platform module. 

16. (Withdrawn) A security protocol comprising: 

a first handshake phase to issue attestation identity credentials; and 
a second handshake phase to authenticate based on the attestation identity credentials 
issued in the first handshake phase. 
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17. (Withdrawn) The security protocol of claim 16, further comprising a session resumption 
handshake phase to resume a previous session. 

18. (Withdrawn) The security protocol of claim 16, wherein the first handshake phase 
comprises a registration handshake protocol and the second handshake phase comprises an 
authentication and attestation protocol. 

19. (Withdrawn) The security protocol of claim 16, wherein the second handshake phase 
comprises an authentication protocol, wherein the authentication protocol includes platform 
authentication. 

20. (Withdrawn) The security protocol of claim 16, wherein the second handshake phase 
comprises an authentication and attestation protocol, wherein the authentication and attestation 
protocol include platform authentication and platform configuration reporting. 

21. (Withdrawn) The security protocol of claim 16, wherein the second handshake phase 
comprises an authentication and attestation protocol, wherein the authentication and attestation 
protocol include user authentication, platform authentication, and platform configuration 
reporting. 

22. (Withdrawn) The security protocol of claim 16, wherein the attestation identity credential 
comprises a DAA (Direct Anonymous Attestation) credential. 

23. (Withdrawn) The security protocol of claim 16, wherein the second handshake phase 
includes multiple identities to utilize during authentication, wherein the multiple identities 
comprise one or more user identity keys, platform identity keys, platform configuration register 
values, and stored measurement logs for a server and client, wherein platform configuration 
register values are modified to incorporate a handshake state digitally combining a master secret 
into the platform configuration register values. 

24. (Withdrawn) The security protocol of claim 16, further comprising a session resumption 
protocol to resume a previous session. 

25. (Withdrawn) A network security handshake exchange method comprising: 
receiving a pre-master secret, wherein the pre-master secret contains a nonce generated 

by a server, the pre-master secret including server platform configuration data in the form of a 
server stored measurement log; 

augmenting the pre-master secret with a hash of server platform configuration register 

values; 
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modifying the server platform configuration register values to incorporate a handshake 
state by measuring the pre-master secret into the server platform configuration register values; 

authenticating the modified pre-master secret by digitally signing the modified pre-master 
secret with a server platform identity key and a server user identity key; and 

sending a first message to a client, wherein the message comprises the pre-master secret, 
the modified pre-master secret, the modified pre-master secret digitally signed with the server 
platform identity key and the modified pre-master secret digitally signed with the server user 
identity key. 

26. (Withdrawn) The method of claim 25, wherein the first message further comprises the 
server platform configuration register values and the server stored measurement log. 

27. (Withdrawn) The method of claim 25, further comprising: 

receiving an encrypted master secret from the client via a second message, wherein the 
encrypted master secret is a modification of the modified prc-mastcr secret; 
verifying the second message; and 
generating session keys if the second message is verified. 

28. (Withdrawn) The method of claim 27, wherein verifying the second message comprises 
determining client platform configuration register values from a client stored 

measurement log; 

determining the modified pre-master secret from information in the second message; and 
comparing the determined modified pre-master secret with the modified pre-master 

secret. 

29. (Withdrawn) A network security handshake exchange method comprising: 
receiving a first message from a server, the first message comprising a server modified 

pre-master secret; 

augmenting the server modified pre-master secret with a hash of client platform 
configuration register values; 

modifying the client platform configuration register values to incorporate a handshake 
state by measuring the server modified pre-master secret into the server platform configuration 
register values, wherein modifying the client platform configuration results in a master secret; 

digitally signing the master secret with a client user key and a client platform key; and 
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sending a second message to the server, wherein the second message comprises the 
master secret, master secret digitally signed with the client platform identity key and the master 
secret digitally signed with the client user identity key. 

30. (Withdrawn) The method of claim 29, wherein the second message further comprises the 
client platform configuration register values and the client stored measurement log. 

31. (Withdrawn) The method of claim 29, further comprising: 
verifying the first message; and 

generating session keys if the first message is verified. 

32. (Withdrawn) The method of claim 3 1 , wherein verifying the first message comprises: 
determining server platform configuration register values from a server stored 

measurement log; 

determining a pre -master secret from information in the first message; and 
comparing the determined pre-master secret with an original pre-master secret, wherein 
the first message comprises the original pre-master secret. 

33. (Currently Amended) An article comprising: a tangible storage medium having a 
plurality of machine accessible instructions stored thereon , wherein when the instructions are 
executed by a processor, the instructions provide for simultaneously authenticating multiple 
facets of an endpoint; 

combining the multiple facet s of the endpoint with a pre master secret; 

cryptographically hashing a platform configuration value representing a configuration 
state of an endpoint platform to generate a cryptographic hash of the platform 
configuration ; 

mixing the cryptographically hashed cryptographic hash of the platform configuration 
with the a pre-master secret via a hash algorithm to generate a master secret; and 
negotiating a communication channel; 

signing the master secret with multiple authentication facets of the endpoint, the 

multiple authentication facets including a user key representing a particular user and a 
platform key representing the particular endpoint platform; 
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encrypting the master secret to authenticate a authenticating the negotiated 
communication channel with the signed master secret to establish the negotiated 
communication channel as a secure channel . 

34. (Original) The article of claim 33, wherein a platform private key is bound to the 
platform configuration using a trusted platform device. 

35. (Original) The article of claim 34, wherein the trusted platform device comprises a 
processor coupled to a protected storage device. 

36. (Original) The article of claim 33, wherein instructions for cryptographically hashing the 
platform configuration comprises instructions for cryptographically hashing the platform 
configuration using a secure hashing algorithm. 

37. (Original) The article of claim 36, wherein the secure hashing algorithm comprises 
Secure Hashing Algorithm Version 1.0 (SHA-1). 

38-41. (Canceled) 

42. (Currently Amended) The article of claim 38 claim 33 , wherein the platform 
configuration includes multiple identities and one or more certified keys the platform key 

includes one or more platform identity keys. 

43. (Currently Amended) The article of claim 38 claim 33 , wherein the platform 
configuration includes multiple identities and one or more certified keys the platform key 

includes one or more platform identity keys. 

44. (Original) The article of claim 33, further comprising instructions for enabling the 
encrypted master secret to be decrypted at another endpoint, wherein the master secret is used by 
each endpoint to generate the session keys. 
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45. (Original) The article of claim 33, further comprising instructions for: 
exchanging an explanation of the platform configuration hashes following session key 

negotiations to finalize the authentication; 

verifying, at both endpoints, key exchange messages, certificates and platform 
configuration data; and 

authenticating the session if no problems arise during verification. 

46. (Original) The article of claim 45, further comprising instructions for halting the 
authentication session if problems arise during verification. 

47. (Original) The article of claim 45, further comprising instructions for enabling endpoints 
to exchange data, wherein each endpoint knows that the platform from the other endpoint has 
been authenticated using a platform identity that ties to the trusted platform module. 
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